Univention Bugzilla – Bug 54497
wrong resolving of nested groups in /var/cache/univention-portal/groups.json - portal tile visibility is too permissive
Last modified: 2022-08-22 19:07:16 CEST
The group memberships are built incorrectly in the group-cache. Example: User A is a member of group 1, which in turn is a member of group 2. User B is a member of group 2: |----------Group 2-----------| | | | |--Group 1--| | | | | | | | User A | User B | | | | | | |-----------| | | | |----------------------------| In the cache, however, user B is also a member of group 1, which he is not allowed to be after the correct resolution of the group memberships.
Can you explain why this bug has the user pain status "Blocking further progress on the daily work"? From my understanding, this bug makes certain portal tiles visible to users who should not see them. The portal is not the right place to manage access to (web-)applications with tile visibility, permissions have to be configured otherwise.
(In reply to Erik Damrose from comment #1) > Can you explain why this bug has the user pain status "Blocking further > progress on the daily work"? > > From my understanding, this bug makes certain portal tiles visible to users > who should not see them. The portal is not the right place to manage access > to (web-)applications with tile visibility, permissions have to be > configured otherwise. you're right, my fault. I've corrected the pain status.
MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/441
This bug occurs at one of our school customers and allows simple students or teachers to modify the portal.
I think an other customer went in this problem. In this case it was a teacher who can see the modify button for the portal, and therefore he sees all existing tiles. He is not able to modify the tiles, because saving leads to 403. The user is member of a group testusers, and "domain admins" group is also member of this group. So the groupcache (/var/cache/univention-portal/groups.json) shows testusers and domain admins for the user. For the customer this is confusing and not okay, that the user can see all tiles in the edit mode.
univention-portal now depends on univention-group-membership-cache because it uses that cache mechanism to efficiently determine group memberships. Package: univention-portal Version: 4.0.7-8 User: nradovanovic Scope: errata5.0-2 Package: univention-group-membership-cache Version: 2.0.0-7 User: nradovanovic Scope: errata5.0-2 commits: git log --grep "Bug #54497" Verified: * Code review * Functional tests * Package update * Fix of inconsistent groups.json during update * Update with extended /usr/share/univention-portal/portals.json * Advisories FYI: We decided against removing the ldap_uri etc kwargs from code and default json dicts, because these could be used in extended portals.json configurations. Since there was no REAMDE.md in the univenton-portal package, which documents this for fellow developers, we could not determine if this could actually be a real life use case or not, so the original authors will have to clean up the code later if they see fit.
Verified: * The keys of the updated groups.json are group names again * I used https://github.com/josephburnett/jd#command-line-usage to diff the old and updated groups.json and it looks ok * Package update fixes the groups.json * Advisory: ok
<https://errata.software-univention.de/#/?erratum=5.0x389> <https://errata.software-univention.de/#/?erratum=5.0x390>